Re: Need advice re (low end) firewall

From: glassgnost (dlindnerSPAMBLOCKED@socal.rr.com)
Date: 08/15/02

• Next message: Oaf357: "Re: Anyone else have LinkSys 'SPI+Port forwarding' troubles?"
• Previous message: : "Re: Slow ShutDown Caused by New ZoneAlarm 3.0"
• In reply to: Greg Hennessy: "Re: Need advice re (low end) firewall"
• Next in thread: Lars M. Hansen: "Re: Need advice re (low end) firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

From: glassgnost <dlindnerSPAMBLOCKED@socal.rr.com>
Date: Thu, 15 Aug 2002 21:47:07 GMT

Greg Hennessy wrote:
> On Thu, 15 Aug 2002 16:38:35 GMT, "PWLFE" <pjw75@attbi.com> wrote:
>
>
>>Greetings,
>>
>>We have one server that sits (wide open) on the internet running IIS
>
>
> That was a really silly thing to do.
>
>
>>It is
>>not connected to any other network. The info on it is not that sensitive,
>>and we don't care who sees it or deletes it.
>
>
> Its business related materiel. Does your customers know that your treat
> their information in this cavalier manner ?
>
>
>
>> What we DO care about is the
>>bandwidth that the pirates have sucked up. I found in the recycler folder a
>>folder that had 2gb worth of pirated DVD files.
>
>
> You are aware of the potential legal grief you are letting yourself in for
> ?
>
>
>>As far as I know, I pretty much have to format the box, re install and re
>>patch to current MS / IIS security standards.
>
>
> The MS baseline security analyser is your friend.
>
> http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/Tools/MBSAhome.asp
>
> http://www.systemexperts.com/win2k/HardenWin2K.html
>
> http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/iis/tips/iis5chk.asp
>
>
>
>>I also need to put some sort
>>of firewall in place to allow ONLY HTTP to and from this box. It is used to
>>take surveys anonymously. (single application) I would like to use a
>>software firewall (inexpensive) vs an appliance if possible.
>
>
> Dont.
>
> The key to decent security is defence in depth.
> This means a
> hardware firewall +
> host based IDS on the server +
> a connection back to your LAN so it can tell you its under assault +
> (if you are really paranoid a local security policy on the win2k box using
> the inbuilt packet filtering) +
> enabling admin terminal services so you can login remotely and do something
> about it.
>
> At the very minimum.
>
> The hostbased IDS bit is easy. Use the server version of BID.
>
> http://www.iss.net/products_services/hsoffice_protection/blkice_protect_server.php
>
>
> Firewall wise, depending on your level of expertise. The options are rich
> and varied. A firewall appliance of some sort is essential. No moving parts
> == more uptime.
>
> At the very minimum a cisco pix 501 or Netscreen 5xp and run a VPN from
> your network in to manage/communicate with the server.
>
> A 3 interface appliance with a leg directly connected to your LAN would be
> a lot better and less hassle to setup.

I agree except on one major point: If you don't need to connect it to
anything other than the net, keep it isolated. Run your files over on cdrom.

Assuming that you're on a budget (and since you consider it's content
trivial), just turn on the IP filters, deny all inbound but port 80 -
maybe even unbind netbios from the nic (keep it on the loopback) - get a
cheap soho firewall to drop malformed packets. A second-hand webramp or
similar should run you about $20 or so on ebay.

If you go second-hand, I suggest dumping the firmware and reloading it
with an image from a trusted source before putting it into production.

-- 
Mystical Reverend Doktor glassgnost, Minister of Unnatural Selection
-- dlindner (at) socal (dot) rr (dot) com --
Eternal Salvation or Triple Your Money Back!
http://www.subgenius.com   ...or kill me!
There's nothing disgusting about it [the Companion].  It's just another
life form, that's all.  You get used to those things.
		-- McCoy, "Metamorphosis", stardate 3219.8

---

• Next message: Oaf357: "Re: Anyone else have LinkSys 'SPI+Port forwarding' troubles?"
• Previous message: : "Re: Slow ShutDown Caused by New ZoneAlarm 3.0"
• In reply to: Greg Hennessy: "Re: Need advice re (low end) firewall"
• Next in thread: Lars M. Hansen: "Re: Need advice re (low end) firewall"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages << SBS News of the week - Sept 26 >> ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ... (microsoft.public.backoffice.smallbiz) << SBS News of the week - Sept 26 >> ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ... (microsoft.public.backoffice.smallbiz2000) << SBS News of the week - Sept 26 >> ... And he points to the info you need to put the file on the server in the ... at the network perimeter. ... The Symantec Firewall/VPN and the Gateway Security ... by the firewall at risk. ... (microsoft.public.windows.server.sbs) Re: Recycler security issues on IIS server ... > latest upates to the server. ... > like to see the server put behind our firewall, ... other software, install all patches, IISlockdown, URLscan, use the correct ... the procedures you follow may vary depending on your security needs. ... (microsoft.public.inetserver.iis.security) Re: Need advice re (low end) firewall ... >We have one server that sits on the internet running IIS ... The MS baseline security analyser is your friend. ... >of firewall in place to allow ONLY HTTP to and from this box. ... (comp.security.firewalls)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(11)